General
-
Target
10fe1805921ccea2cce4b75338b8024698067c54ff1590e747915885e491fa9b
-
Size
1.0MB
-
Sample
210904-q1hbkshdcr
-
MD5
845e27c1b9c85259e43364ffe45b9f44
-
SHA1
f1b40b61d256717a866b60332fb25b9e45ce3684
-
SHA256
10fe1805921ccea2cce4b75338b8024698067c54ff1590e747915885e491fa9b
-
SHA512
38a1441efd0e1f5c9cf29c61be5467e05d310b77ceca5f883482968142e822b94755e6570b04fa82d9ac0b23a9349164cdb62bf43bebd6a5f77c865ef87c0423
Static task
static1
Behavioral task
behavioral1
Sample
10fe1805921ccea2cce4b75338b8024698067c54ff1590e747915885e491fa9b.exe
Resource
win7-fr
Behavioral task
behavioral2
Sample
10fe1805921ccea2cce4b75338b8024698067c54ff1590e747915885e491fa9b.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
10fe1805921ccea2cce4b75338b8024698067c54ff1590e747915885e491fa9b.exe
Resource
win10v20210408
Malware Config
Extracted
redline
test
45.14.49.169:22411
Extracted
raccoon
b8ef25fa9e346b7a31e4b6ff160623dd5fed2474
-
url4cnc
https://telete.in/iphbarberleo
Extracted
redline
big_tastyyy
87.251.71.44:80
Extracted
redline
testnewinstalls
45.129.236.6:21588
Extracted
redline
NORMAN3
45.14.49.184:28743
Extracted
vidar
40.4
937
https://romkaxarit.tumblr.com/
-
profile_id
937
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2020
http://fioajfoiarjfoi1.xyz/
http://rdukhnihioh2.xyz/
http://sdfghjklemm3.xyz/
http://eruiopijhgnn4.xyz/
http://igbyugfwbwb5.xyz/
http://shfuhfuwhhc6.xyz/
http://ersyglhjkuij7.xyz/
http://ygyguguuju8.store/
http://resbkjpokfct9.store/
http://sdfygfygu10.store/
http://hbibhibihnj11.store/
http://vfwlkjhbghg12.store/
http://poiuytrcvb13.store/
http://xsedfgtbh14.store/
http://iknhyghggh15.store/
http://wnlonevkiju16.site/
http://gfyufuhhihioh17.site/
http://nsgiuwrevi18.site/
http://oiureveiuv19.site/
http://ovrnevnriuen20.site/
http://apowkfeeifin21.site/
http://mewmofinoine22.site/
http://iefhuiehruiu23.site/
http://vjrnnvinerovn24.club/
http://roimvnnvwniov25.club/
http://fwenmfioewnjo26.club/
http://ewoijioewoif27.club/
http://fwjenfuihew28.club/
http://fwkejnfuiewn29.club/
http://fwkjenfuewnh30.club/
Extracted
vidar
40.4
898
https://romkaxarit.tumblr.com/
-
profile_id
898
Targets
-
-
Target
10fe1805921ccea2cce4b75338b8024698067c54ff1590e747915885e491fa9b
-
Size
1.0MB
-
MD5
845e27c1b9c85259e43364ffe45b9f44
-
SHA1
f1b40b61d256717a866b60332fb25b9e45ce3684
-
SHA256
10fe1805921ccea2cce4b75338b8024698067c54ff1590e747915885e491fa9b
-
SHA512
38a1441efd0e1f5c9cf29c61be5467e05d310b77ceca5f883482968142e822b94755e6570b04fa82d9ac0b23a9349164cdb62bf43bebd6a5f77c865ef87c0423
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-